CN107209831A - System and method for recognizing network attack - Google Patents

System and method for recognizing network attack Download PDF

Info

Publication number
CN107209831A
CN107209831A CN201580061985.1A CN201580061985A CN107209831A CN 107209831 A CN107209831 A CN 107209831A CN 201580061985 A CN201580061985 A CN 201580061985A CN 107209831 A CN107209831 A CN 107209831A
Authority
CN
China
Prior art keywords
dom
code
codes
flo
tester
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201580061985.1A
Other languages
Chinese (zh)
Other versions
CN107209831B (en
Inventor
N·帕斯托雷
C·吉安格雷戈里奥
P·丽玛乌多
M·P·博加纳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Clive associates Inc.
Original Assignee
Cliff Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cliff Ltd filed Critical Cliff Ltd
Priority claimed from PCT/IB2015/058307 external-priority patent/WO2016075577A1/en
Publication of CN107209831A publication Critical patent/CN107209831A/en
Application granted granted Critical
Publication of CN107209831B publication Critical patent/CN107209831B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • H04L41/0273Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/032Protect output to user by software means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Abstract

This disclosure relates to system (1) and detect and resist using this system (1) browser go-between and/or go-between's type network attack method.The system (1) includes flo-tester (2), and wherein the flo-tester (2) is with being populated with Web browser (4) with the client computer (3) for carrying out internet browsing and the Web server (5) for being populated with web application (6) progress signal communication.Flo-tester (2) is configured as receiving the request associated with web application (6) from Web browser (4), and Web browser (5) is sent this request to, flo-tester (2) is configured as receiving the DOM code server associated with the request from Web server (5).The system is characterized in that, the system includes NetStream Data Analyzer (7), wherein the NetStream Data Analyzer (7) carries out signal communication with flo-tester (2) and algorithm application program (8) is populated with NetStream Data Analyzer (7), flo-tester (2) is configured as to DOM code servers addition default code part, thus generation will be sent to the DOM client codes of Web browser (4) is presented code to receive the DOM associated with DOM client codes, flo-tester (2) is configured as sending DOM client codes and DOM presentation codes to NetStream Data Analyzer (7), algorithm application program (8) is configured as handling DOM presentation codes, so that DOM presentation codes to be compared with DOM client codes, thus at least one code difference is recognized.

Description

System and method for recognizing network attack
Technical field
This disclosure relates to the system and method for detecting and resisting network attack.
Especially, this disclosure relates to for detect and resist browser go-between (Man-in-the-Browse) and/or in Between people (Man-in-the-Middle) attack method.In other words, the invention allows to monitor and protect Web application journeys Attack of the sequence (Web server) from the Web browser for client.
Background technology
The known technology in the computer security attack for including browser go-between and/or man-in-the-middle attack for resisting In, use antivirus software.Browser go-between is to include directly manipulating Web browser changing usual when user accesses website The attack of the type of the content shown to him/her.Browser go-between (MitB) attack is made in the case of user is unwitting Performed with the Malware installed on computer.This Malware (for example, acting on behalf of Trojan Horse) and web browsing The memory interaction of device process, the normal flow that (used in Web browser) system is called is redirected to following spy Determine Malware function, wherein these Malware functions, which have, for example injects additional HTML code downloaded Web page In purpose.It should be noted that between in a browser in the case of people's attack, with the original Web server for the website attacked Connection is set up, this causes attack detecting difficult.Therefore, Web browser and web application can not recognize Malware to Web The content that the content of browser actual download is added.Have been acknowledged by including following various man-in-the-browser attacks:From electricity The credit card information of sub- bank and e-commerce website is stolen and often not with being automatically begun in the case of user mutual Fraudulent transactions.
In more detail, when user asks Web page (that is, web application) via Web browser, trustship Web page Web server sends html source code (DOM Document Object Model, DOM) to Web browser.DOM code is transferred into web browsing The presentation engine of device is shown with feeding to user.For example, in the PC being infected by malware, Web browser is from Web service The DOM code that device is received is changed before by the processing of the presentation engine of Web browser by Malware.Therefore, Malware Extracode (for example, script) is injected into the Malware from the DOM code that Web server is received, with change to The content that family is shown.Change of the Malware to made by the DOM code downloaded from Web server be HTML and/or The change of javascript codes and/or any other interior perhaps web resource.As described above, along with can include figure and/ Or behavior change change, Web browser be connected to original Web server.Therefore, amended Web page is shown to user, its In the amended Web page reproduce the Web page of client request originally.Client allows to access in the case of non-personal inclination The personal data of its own authorize the fraudulent transactions for being directed to his/her own account.
For example, in the bank field, the computer being infected by malware is usually using HTTPS protocol entries to Internet bank Website, and download Web page data.However, Malware is by adding transaction manipulation script and for example being transferred accounts automatically, To change the data in real time.Actual the transferring accounts for reservation of user can also be redirected to other recipients by script, or simpler Credit card information and/or addition added field singly are asked so that user is filled using additional data.
Prior art problem
The antivirus software installed in PC or client user's device (for example, smart phone, tablet personal computer etc.) is in resistance It is less effective in terms of this computer security threat.Antivirus software can only recognize the browser go-between occurred via internet A part for attack.It it is known that and meet high safety standard or the Web browser with Internet security software.However, existing The solution of technology can not be reasonably resistant to browser go-between.
The content of the invention
It is an object of the invention to provide a kind of system for preventing network attack.
It is a further object of the present invention to provide a kind of method that man-in-the-browser attacks are prevented using this system.
It is yet another object of the invention to provide a kind of following system, the wherein system is used to detect Malware to user institute Change made by the Web page of download and/or the DOM of web resource HTML and/or javascript codes, and prove hair Deliver to the web resource of given client and/or the content of the page and/or DOM it is actual exactly being shown to the given client or Person should give content and/or the DOM that client is used.
The a further object of the present invention is to provide a kind of method for preventing network attack.
The advantage of the present invention
One embodiment is provided between a kind of web application in Web browser and just monitored, to made by user The system that HTTP and/or HTTPS request are intervened.
Another embodiment provides a kind of system and a kind of recognized using this system is directed under web application reality The method of any change of the DOM code of load.This will make it possible to recognize man-in-the-browser attacks, to ensure to be asked Web page is suitably shown to user.
Brief description of the drawings
By below in the accompanying drawings as the detailed description of the possible specific embodiment shown in non-limiting example, The feature and advantage of the disclosure will be evident, wherein:
- Fig. 1 shows the embodiment for being used to recognizing and preventing the system of network attack according to the disclosure;
- Fig. 2 shows another embodiment of the system for preventing network attack according to the disclosure;
- Fig. 3 shows the flow chart of the method for preventing network attack according to the disclosure;
- Fig. 4 shows the flow chart of the particular step of the method for preventing network attack according to the disclosure;
- Fig. 5 shows the flow chart of the specific sub-step of the method for preventing network attack with reference to Fig. 4.
Embodiment
It is as real with reference to other typical cases in also should be used as with reference to each feature as described in specific embodiment even if not clearly stating Apply the auxiliary of the further feature described in example or be interchangeable with these further features.
The present invention relates to the system 1 for recognizing network attack, particularly man-in-the-browser attacks.
With reference to Fig. 1 and 2, system 1 includes carrying out the flo-tester 2 of signal communication with least one client computer 3, Wherein it is populated with Web browser 4 to carry out internet browsing in the client computer 3.
Flo-tester 2 and the progress signal communication of Web server 5 for being populated with web application 6.
In an aspect, user can use the Web browser 4 in client computer 3 to ask to reside in Web clothes The web application 6 (for example, Web page) being engaged in device 5.In other words, user's (or client) is used in client computer 3 The Web browser 4 installed accesses Web page.Obviously, during use, client computer 3 should be via wired or mobile electricity Words equipment or any other known communication means are connected to internet.
Flo-tester 2, which is configured as receiving at least one associated with web application 6 from Web browser 4, asks Ask, and this request is sent to Web server 5.
Flo-tester 2 is configured as receiving the related DOM code servers of request from Web server 5.That is, the request It is to ask to uniquely identify the internet resource that resides in Web server 5 using Web browser 4 in user (that is, Web should With program 6) address when generated by Web browser 4.
Preferably, flo-tester 2 be configured with HTTP or HTTPS agreements at least to receive from Web browser 4 with The associated request of web application 6, and this request is sent to Web server 5.
According to preferred embodiment, flo-tester 2 is designed to be arranged in web application 6 as component software, with And/or person is used as firewall software module and/or load equalizer and/or the network equipment and/or hardware unit and/or software mould Block is arranged in the Web server 5 of trustship web application 6.
Preferably, flo-tester 2 be arranged on in the identical network of web application 6 (for example, preset (on- Premises)) or it is arranged to external service (for example, SaaS or cloud).
System 1 includes being populated with the NetStream Data Analyzer 7 of algorithm application program 8.This NetStream Data Analyzer 7 and flo-tester 2 carry out signal communication.
According to preferred disposition, flo-tester 2 and/or NetStream Data Analyzer are component softwares.It is highly preferred that flo-tester And/or NetStream Data Analyzer is the component of private server.
Preferably, flo-tester 2 and NetStream Data Analyzer 7 are communicated by sending operation, and can be via all Such as TCP, UDP, HTTP (S) and IMAP one or more known communication protocols send these operations.
Advantageously, NetStream Data Analyzer is located at the outside for the data flow that HTTP/HTTPS is asked, and can be independently of this Data flow and work.
Flo-tester 2 is configured as agent code part being added to DOM code servers, thus generates DOM client Hold code.In addition, flo-tester 2 is configured as sending DOM client codes to Web browser 4.
With reference to more than, DOM code servers (for example, HTML code) are received and carried out by the presentation engine of Web browser 4 Processing so that user can be shown to using the content of web application 6 as hypertext (for example, Web page).
In addition, flo-tester 2 be configured as receiving the DOM associated with DOM client codes from Web browser 4 be in Modern code.
In other words, it is to be carried out the processing of DOM client codes by the presentation engine of Web browser 4 and obtained that code, which is presented, in DOM Arrive.
Therefore, DOM client codes are that Malware may dive to carry out browser go-between or man-in-the-middle attack In the code of change.As described above, Malware is by being transferred into the presentation engine of Web browser 4 in DOM client codes Change the DOM client codes before, to distort the built-in function (also known as linking up with (hooking)) of browser.Therefore, if DOM client codes are modified, then DOM is presented code and is also modified.
According to preferred disposition, DOM code servers are the HTML code associated with request and/or javascript generations Code.
Preferably, agent code part is HTML code and/or javascript codes.
It should be noted that DOM client codes at least include DOM code servers and agent code part.
According to preferred embodiment, agent code part is default code, and wherein the default code is preferably arranged to Web Browser provides at least one instruction to send DOM presentation codes to flo-tester 2.
Flo-tester 2 is configured as at least sending DOM client codes and DOM presentation codes to NetStream Data Analyzer 7.
Algorithm application program 8 in NetStream Data Analyzer 7, which is configured as code is presented to DOM, to be handled, and by the DOM Code is presented to be compared with DOM client codes, to recognize at least one code difference.Preferably, the quilt of algorithm application program 8 It is configured to identify that the network attack that can be attacked with browser go-between (MitB) etc. is relevant in the algorithm application program 8 At least one code difference in the case of, generation attack indication signal (for example, MitB alarms).
According to preferred disposition, code is presented to DOM and is handled to provide expected DOM clients for algorithm application program 8 The estimation of code.In more detail, it is generation DOM that algorithm application program 8, which is configured to supply by the presentation engine of Web browser 4, The estimation of the expected DOM client codes handled by code is presented.By expected DOM client codes and original DOM client End code (that is, the DOM client codes that the script of client computer 3 is received) be compared, with recognize the two codes it Between matching.In other words, it is contemplated that both/original DOM client codes before presentation DOM client codes not by It is identical and consistent, or in the case of code difference is not because caused by there is Malware, be in the case of change It is similar and matching.
According to the present invention, being identified in algorithm application program 8 may be relevant with network attack (MitB attacks etc.) In the case of at least one code difference, it is contemplated that both/original DOM client codes will be intended that unmatched.
Preferably, algorithm application program 8 thus is over time by programmable device or using learning system come manually implemented Variable (polymorphism).It is highly preferred that realizing particular row of the learning system of algorithm application program 8 for example based on Web browser 4 For the statistical analysis of (for example, user agent pretends).
As used in this document, term algorithm application program refers to be scheduled on the journey just performed in NetStream Data Analyzer 7 Sequence or a series of programs, enable to DOM client codes being compared with DOM presentation codes, so as to check both Between mismatch.Especially, algorithm application program 8 is that code can be presented to DOM to be handled to be in the modern times by the DOM Program or a series of programs that code is compared with DOM client codes.For example, the algorithm uses acquiescence and appropriately configured work( Can be (that is, soft by malice by the expection DOM client codes of the presentation engine received and processed of Web browser 4 to provide The code that part potentially changes) estimation.The row of particular Web browser of the default feature due to considering to realize the default feature For study mechanism and changed (polymorphism) with the process of time.Because DOM is presented in each Web browser 4 in a specific way Client code, it is therefore intended that default feature is specific for each Web browser 4.In other words, algorithm application program 8 default feature carries out " inverse function " that code is presented in DOM.Thus, once algorithm application program 8 receives DOM and code is presented, Algorithm application program 8 can just provide the estimation of the expected DOM client codes of the actual treatment of Web browser 4.Due to acquiescence Function considers the behavior of Web browser 4, therefore this is possible.Utilize plain text difference (plain-text diff) etc. Comparing function will be compared using the expected DOM client codes estimated by default feature with DOM client codes, with Generation includes one group of fragment code of the difference between detected DOM client codes and expected DOM client codes. These fragments are the code sections potentially injected by Malware.
As used herein, term " text difference ", which is intended to conduct, can compare two texts (for example, HTML code is literary This) and from the application program of the two Text Feature Extraction differences.
In other words, " text difference " is to be compared by the plain text between two respective codes of file (for example, passing through Text covering, keyword search, spell check) protrude the program (that is, comparing function) of the difference between both of these documents.
According to preferred embodiment, algorithm application program 8 reside in flo-tester 2 and/or client computer 3 and/or In Web server 5.Preferably, algorithm application program 8 is divided into the subfunction performed on multiple component softwares.Preferably, In flo-tester 2 and/or NetStream Data Analyzer 7 and/or client computer (for example, Web browser 4) and/or Web server These subfunctions are performed in 5.
According to preferred embodiment, before " the text difference " for carrying out two DOM codes compares, NetStream Data Analyzer 7 or stream Amount detector 2 is presented code to DOM client codes and DOM and handled, so as to the two code standardizations and make it possible to Enough compare the two codes.
The processing is for example removed and character code management including space and carriage return.
For sake of simplicity, the comparison between code is presented below with reference to DOM client codes and DOM, should with preparative algorithm All steps of application, text comparison in difference and the DOM code standardization of the default feature carried out with program 8 etc..
As described above, the comparison (possibly utilizing " text difference ") that DOM client codes and DOM are presented between code makes The code difference of also known as fragment can be extracted by obtaining.
Each fragment is uniquely identified by its MD5 hash.
In addition, each fragment will be divided with being formed for such as user agent's (that is, type of Web browser used in user) etc. The basic metadata of analysis cluster used is associated.Because each user agent (that is, Web browser 4) is handling or presented process During or after previously received DOM client codes are handled in a different manner, it is therefore desirable to above-mentioned association.
For example, some fragments identification slight change (for example, blank is removed, code retraction, the weight of parameter in each label New sort) or structure change (for example, without when addition close label, code in its original html format include mistake Shi Jinhang Code Formats).
Pin included in change made by some other fragment identification Web browsers 4, such as web resource or Web page The generation on web resource or the page is presented in script that this or the resource or the page itself are generated etc., wherein these change modifications Code.These fragments are also known as application program fragment.
For example, drawing using browser plug-in, i.e. using browser go-between technique works or by go-between's technology The Malware entered, can generate some more multiple clips of referred to as outside fragment.
As described above, Malware in DOM client codes by being transferred into before the presentation engine of Web browser 4 Change the DOM client codes, to distort the built-in function (also known as linking up with) of browser.
Extracted difference (that is, fragment) is analyzed using the comparing function and other functions of algorithm application program 8.
These differences (or fragment) can be insertion or removal type.
Preferably, on the base by particular cluster (for example, the fragment classified by user agent or by operating system) tissue Line (for example, baseline based on statistics) assesses these fragments each.
NetStream Data Analyzer 7 can be configured as sending at least attack recognition signal to flo-tester 2, and/or protect Signal message is deposited, and/or transmits the signal to external system.
According to a configuration, system 1 includes computer management device 9, wherein the computer management device 9 and flo-tester 2 Signal communication is carried out with NetStream Data Analyzer 7, and is configured such that user can be to flo-tester 2 and NetStream Data Analyzer 7 Operation be programmed and monitor the operation.
Preferably, flo-tester 2 is configured as receiving attack recognition signal and at least attack recognition signal will sent To Web browser 4.
Preferably, NetStream Data Analyzer 7 is configured as sending attack recognition signal to computer management device and/or outside system System.
According to preferred embodiment, the algorithm application program 8 in NetStream Data Analyzer 7 was configured as at least DOM clients generation Code is presented code with the DOM after processing and is compared, with generated when code mismatch is presented in DOM client codes and DOM to A few attack recognition code.
According to preferred embodiment, computer management device 9 is control panel, wherein via the control panel, user can enter Row is following to be operated:
The situation of-monitoring system 1;And/or
- watch, check and/or monitoring request and flow in real time;And/or
- viewing, inspection and/or monitoring request and flow histories;And/or
- monitoring, setting and management attack recognition signal (for example, safety alarm) or information signal;And/or
- display, management system configuration 1 and system component and/or change is made to system configuration 1 and system component.
Advantageously, because each request of the analysis of system 1, therefore system 1 provides general in the ession for telecommunication synthesis that a situation arises State.
Advantageously, system 1 of the invention make it possible to efficiently and safely to recognize and resist browser go-between and/or in Between people attack, thus provide to user ask comprehensive monitoring.
It is used to recognize browser go-between and/or go-between's net using the system 1 of the present invention the invention further relates to a kind of The method of network attack, comprises the following steps:
- request for web application 6 or web resource is generated using URI or URL via Web browser 4;
- Web server 5 is sent this request to using flo-tester 2;
- the DOM server generations automatically generated by Web server 5 according to the request are received using flo-tester 2 Code;
- utilize flo-tester 2 that agent code part is added into DOM code servers, thus generate DOM client generations Code and the DOM client codes are sent to Web browser 4;
- received using Web browser 4 and handle DOM client codes, to automatically generate DOM presentation codes and incite somebody to action The DOM is presented code and sent to flo-tester 2;
- DOM presentation codes are received using flo-tester 2 and by above-mentioned DOM client codes and the DOM in the modern times Code is automatically sent to NetStream Data Analyzer 7;
- at least DOM clients are received, handle and compared using the algorithm application program 8 resided in NetStream Data Analyzer 7 Code is presented in code and DOM, and at least one attack recognition is generated to be presented in DOM client codes and DOM when code is mismatched Signal.
According to preferred embodiment, comprise the following steps for sending the step of asking:
- request is sent using HTTP or HTTPS agreements;
- agent code part is HTML and/or Javascript codes, or using Web browser can explain it is another The code and/or language of one type;
- DOM client codes at least include DOM code servers and default code part.
According to preferred embodiment, for receiving and handling DOM client codes with automatically generate DOM present code the step of Comprise the following steps:
- DOM client codes are received using Web browser 4;
- DOM code servers included in DOM client codes are handled using Web browser, to automatically generate Code is presented in DOM;
- agent code part included in DOM client codes is handled using Web browser 4, DOM is presented Code is sent to flo-tester 2.
According to preferred embodiment, for receiving and comparing using the algorithm application program 8 resided in NetStream Data Analyzer 7 At least DOM client codes and DOM are presented code, generated at least with being presented in DOM client codes and DOM when code is mismatched The step of one attack recognition signal, comprises the following steps:
- by attack recognition signal send to flo-tester 2 and/or Web browser 4 and/or computer management device 9 and/ Or external unit.
According to preferred embodiment, for receiving and comparing using the algorithm application program 8 resided in NetStream Data Analyzer 7 At least DOM client codes and DOM are presented code, generated at least with being presented in DOM client codes and DOM when code is mismatched The step of one attack recognition signal, comprises the following steps:
- using the algorithm application program 8 resided in NetStream Data Analyzer 7, received and compared by performing comparing function At least code is presented in DOM client codes and DOM, is generated at least with being presented in DOM client codes and DOM when code is mismatched One attack recognition signal.
Illustrate the application example of the method for the present invention below.
Application example-Fig. 3 of this method
This method comprises the following steps:
- user asks the Web site or application program of concern from client computer 3 using URI or URL (resource ID) Resource or the page (block 301).Web browser 4 generates HTTP or HTTPS request, to be sent directly to and web application 6 Installed in the identical website or available flo-tester 2 in cloud environment.
- flo-tester 2 is used as reverse proxy system, reads Hostname, and check positive monitor and for its configuration Original host name, address, URL or the URI of the position for the web application 6 that key is protected.Flo-tester 2 will HTTP or HTTPS request are sent to Web server 5, and obtain the asked page DOM code servers (including Cookie, head and other information) (block 302).
- flo-tester 2 is randomly generated UID (that is, personal code work) (block 303).If user has made request, Included in Web browser 4 of the flo-tester 2 for example via user and the cookie that pre-registers carrys out reading client calculating UID (block 303a) transmitted by machine 3, or generate and send new UID (block 303b).
Unique HID (that is, asking code) is randomly assigned to each individual HTTP or HTTPS request by-flo-tester 2 (block 304).
Agent code part (for example, script) is loaded (block 305) and adds (block 306) to being asked by-flo-tester 2 The page DOM servers in.Above-mentioned script can be to provide a series of functions and a series of marks HTML and/or Javascript codes.As used herein, term mark, which is intended to specify, can take the free position (example in two states Such as, "true" or "false", " unlatching " or " closing ", " 1 " or " 0 ") variable, and indicate whether using its value to actually occur Whether given event or system are in particular condition.Indicate when only reaching given state or there occurs given event certainly Used in code used in the dynamic specific operation performed.Can be according to the UID or IP for making request or according to can in system 1 Script or agent code are distinguished with any other variable of setting so that can be made by oneself for each user addition of customer group Adopted script.
- flo-tester 2 sends the DOM clients including DOM code servers or script and agent code or script To Web browser 4 (block 307).
The Web browser 4 of-user receives DOM clients, is presented the page, and automatically begins to script or agent code Operate (block 308).
Once-Web browser 4 completes presentation processing or performs script or agent code, Web browser 4 is just passed through By can fix (for example, http (s)://webapplication/check) or it is variable (for example, http (s):// Webapplication/fjlc3f4 dedicated path) sends data to flo-tester 2, and this data are for example as follows:
A. it is used to check presentation behavior and for example identification BOT (corpse) or javascript disables the mark (block of event 309);
Code (block 310) is presented in b.DOM;
- flo-tester 2 receives this data via fixed or variable dedicated path, and for example by creating operation Asynchronously to pack (block 311) and be sent to (block 312) to NetStream Data Analyzer.Operation is for example including data below:
A. metadata (for example, IP, user agent, request date/time, content-length, access source, main frame, UID, HID);
B.DOM clients;
C.DOM is presented.
- NetStream Data Analyzer 7 obtain the data and based on algorithm application program 8 come start analysis (block 313).
The estimation that code is handled and rebuilds expected DOM client codes is presented to DOM for-algorithm application program 8. In addition, algorithm application program 8 is compared between DOM client codes and expected DOM client codes, (addition is extracted Or subtraction) difference, and independently these differences are classified (block 314).These differences are individually referred to as fragment (block 315).
- algorithm application program 8 is handled these differences, to assess the risk class (block of identified fragment 316).Specific fragment is as caused by user browser, and to be referred to as browser behavior fragment (for example, the sorting of parameter, non- The addition of closure label), other fragments are by plug-in unit or by the outside fragment of Malware (for example, Zeus) addition, other Section is the application program fragment for being generated and being added by web application.
Once-NetStream Data Analyzer 7 completes analysis, NetStream Data Analyzer 7 distributes risk class to HTTP or HTTPS request, And possibly take the countermeasure (block 317) of alarm, warning or flow stop etc..
All data of-storage, and the administrative staff of web application 6 can utilize these via computer management device 9 Data (block 318).
Illustrate the application example of the step performed by the algorithm application program 8 of the present invention below.
Referring also to Fig. 4, algorithm application program 8 has the mathematical operation based on statistics, and it comprises the following steps:
- create cluster key (block 401) for request.The key is, for example, by the distinctive environmental variance (example of cluster Such as, browser, browser version, OS, os release, country) hashed what (for example, md5 hash) created.One example is such as It is lower described.
Cluster_key=md5 (browser (browser)+version (version)+OS+ is national (country))
- Maked Path key (block 402) for request.The key is, for example, to be entered by the URL to HTTP or HTTPS request Row hash (for example, md5 is hashed) is created.One example is as described below.
Path_key=md5 (path_request)
- merge the cluster key and path key of the request, key (block 403) is asked in thus definition.Example:
Request_key=cluster_key+path_key
- increase request_key value (block 404).Example:
increment(request_key,1)
- DOM client codes is normalized (block 405) and make DOM that code normalization (block 406) is presented.Example:
Normalized_dom_rendered=normalize (dom_rendered)
Normalized_dom_client=normalize (dom_client)
- perform comparing function to be compared the DOM presentation codes after normalization and the DOM client codes after normalization Compared with (block 407), to obtain the list (block 408) of fragment.For example:
Snippet_array=compare (normalized_dom_rendered, normalized_dom_client)
- for snippet_array each element execution following steps (block 409).
In this respect and Fig. 5 is referred to, there is the step of creating the key for recognized fragment (block 501).This is close Key is by being hashed the distinctive variable of fragment (for example, content, type [insertion is deleted], size) (for example, md5 dissipates Row) created.One example is as described below:
A.snip_key=md5 (snippet_array [N] (type (type))+snippet_array [N] (length (len))+snippet_array [N] (content (content)))
B. segment key and request key are merged to obtain statistics segment key (block 502)
Stat_snip_key=request_key+snip_key
C. stat_snip_key value (block 503) is increased:
increment(stat_snip_key,1)
D., request_key values and stat_snip_key values are compared to risk to define recognized fragment etc. Level (block 504).For example, being compared as follows described:
I. in the case where identifying behavior segment, if extract_value_of (stat_snip_key)== Extract_value_of (request_key), then risk class is low (block 505).
Ii. in the case where identifying application program fragment or outside fragment (for example, browser plug-in), if extract_value_of(stat_snip_key)<Extract_value_of (request_key), then risk class is medium (block 506).
Iii. in the case of fragment outside the browser go-between or go-between for identifying excessive risk, if extract_ value_of(stat_snip_key)<<Extract_value_of (request_key), then risk class is high (block 507).
In other words, the characteristic feature of algorithm application program 8 includes being compared the frequency of the fragment in cluster.
In the event of number of times reasonably close to baseline, then fragment is the related behavior segment of browser and/or by a large amount of wide Fragment caused by general plug-in unit.
In this case, algorithm distributes low or zero risk class.
However, deviating from baseline in the event of number of times, then in the presence of unexpected significant differences.
According to Multiple factors (for example, the length of amended code, type of the code injected), algorithm application program Medium-very high risk class of 8 distribution.
Advantageously, because each request of the analysis of system 1, therefore system 1 provides the ession for telecommunication Summary that a situation arises.
For example, the method that system 1 is realized can detect herein below:
- request is to come from human user or BOT;
- request has " reasonable " still " unreasonable " timing;
- request from user agent and IP;
- request from UID.
Advantageously, method of the invention provides the complete tracking and session monitoring of user (that is, client user).
According to preferred embodiment, this method comprises the following steps:
- automatically remove malice fragment by providing the feedback to the Web browser 4 of user;
- obtain screenshot capture and behavioural analysis of the user on the page;
- user path in Web site is analyzed via request time line;
- by change property value, link value, form, field and/or the function of HTML and/or Javascript codes come Change DOM code servers;
- DOM code servers are changed by the content of addition, modification and/or reorganization DOM code servers.
Advantageously, method 1 of the invention makes it possible to browse efficiently and safely to recognize and resist by using system 1 Device go-between and/or man-in-the-middle attack, thus provide the comprehensive monitoring asked user.
Those skilled in the art will substantially understand, as defined in appended claims, without departing from the present invention Scope in the case of, multiple changes as described above can be carried out and deform to realize particular requirement.

Claims (12)

1. a kind of system (1) for being used to recognize network attack, including:
Flo-tester (2), it carries out signal communication with least one client computer (3) and Web server (5), wherein The client computer (3) has the Web browser (4) resided therein to carry out internet browsing, and Web clothes Business device (5) has the web application (6) resided therein,
The flo-tester (2) is configured as the user in the client computer (3) via the Web browser (4) When asking at least one request associated with the web application (6), the request is received from the Web browser (4) And the request is sent to the Web browser (5),
The flo-tester (2) is configured as receiving the related DOM code servers of request from the Web server (5),
Characterized in that, the system also includes:
NetStream Data Analyzer (7), wherein the NetStream Data Analyzer (7) has the algorithm application program (8) resided therein, the stream Contents analyzer (7) carries out signal communication with the flo-tester (2),
The flo-tester (2) is configured as, to DOM code servers addition agent code part, thus generating DOM Client code and the DOM client codes are sent to the Web browser (4),
The flo-tester (2) is configured as receiving associated with the DOM client codes from the Web browser (4) DOM present code,
The flo-tester (2) is configured as at least sending the DOM client codes and DOM presentation codes to institute NetStream Data Analyzer (7) is stated,
The algorithm application program (8) is configured as handling DOM presentation codes, and the DOM is presented into code It is compared to recognize at least one code difference with the DOM client codes.
2. system (1) according to claim 1, wherein, the flo-tester (2) be configured with HTTP or HTTPS agreements at least to receive the request associated with the web application (6) from the Web browser (4), and The request is sent to the Web server (5).
3. system (1) according to claim 1, wherein, the DOM code servers are associated with the request HTML and/or Javascript codes, the agent code part is HTML and/or Javascript codes, and the DOM Client code at least includes the DOM code servers and the agent code part.
4. system (1) according to claim 1, wherein, the agent code is partially configured as indicating the web browsing Device (4) sends DOM presentation codes to the flo-tester (2).
5. system (1) according to claim 1, wherein, in addition to computer management device (9), wherein the compliant tube Manage device (9) and carry out signal communication with the NetStream Data Analyzer (7), and be configured such that user can be to the flow analysis The operation of device (7) is programmed and monitored.
6. system (1) according to claim 1, wherein, the NetStream Data Analyzer (7) is configured as in the algorithm application Program (8) generates attack recognition signal in the case of identifying at least one described code difference, and by the attack recognition Signal is sent to the flo-tester (2) and/or the Web browser (4) and/or computer management device (9) and/or outside Unit, and/or the attack recognition signal is stored in database.
7. system (1) according to claim 1, wherein, the algorithm application resided in the NetStream Data Analyzer (7) Program (8) be configured as to the DOM present code handle, with using comparing function come by the DOM present code with The DOM client codes are compared, so that the unmatched feelings of code are presented in the DOM client codes and the DOM At least one attack recognition signal is generated under condition.
8. a kind of method for recognizing browser go-between and/or go-between's network attack, it is used such as preceding claims Described system (1) is identified, it is characterised in that the described method comprises the following steps:
Request of the URI or URL generations for web application (6) or web resource is used via Web browser (4);
The request is sent to Web server (5) using flo-tester (2);
DOM code servers are received using the flo-tester (2), wherein the DOM code servers are by the Web Server (5) is automatically generated according to the request;
Agent code part is added to the DOM code servers using the flo-tester (2), DOM client is thus generated End code simultaneously sends the DOM client codes to the Web browser (4);
The DOM client codes are received and handled using the Web browser (4), and code is presented simultaneously to automatically generate DOM DOM presentation codes are sent to the flo-tester (2);
The DOM is received using the flo-tester (2) and is presented code, and by DOM client codes and described DOM is presented code and is automatically sent to NetStream Data Analyzer (7);And
It is at least described receiving, handling and comparing using the algorithm application program (8) resided in the NetStream Data Analyzer (7) Code is presented in DOM client codes and the DOM, with unmatched in the DOM client codes and DOM presentation codes In the case of generate at least one attack recognition signal.
9. method according to claim 8, wherein, comprise the following steps the step of for sending the request:
The request is sent using HTTP or HTTPS agreements,
Wherein, the agent code part is HTML and/or Javascript codes or can explained using Web browser Other types of code and/or language,
The DOM client codes at least include the DOM code servers and default code part.
10. method according to claim 9, wherein, for receiving and handling the DOM client codes to automatically generate The step of code is presented in the DOM comprises the following steps:
The DOM client codes are received using the Web browser (4);
The DOM code servers included in the DOM client codes are handled using the Web browser (4), with Automatically generate the DOM and code is presented;And
The agent code part included in the DOM client codes is handled using the Web browser (4), with DOM presentation codes are sent to the flo-tester (2).
11. method according to claim 8, wherein, for utilizing the calculation resided in the NetStream Data Analyzer (7) Code is presented with DOM visitors to receive and compare at least described DOM client codes and the DOM in method application program (8) Family end code and the DOM present code it is unmatched in the case of include the step of generate at least one attack recognition signal it is following Step:
The attack recognition signal is sent to the flo-tester (2) and/or the Web browser (4) and/or computer Manager (9) and/or external unit.
12. method according to claim 8, wherein, for utilizing the calculation resided in the NetStream Data Analyzer (7) Code is presented with DOM visitors to receive and compare at least described DOM client codes and the DOM in method application program (8) Family end code and the DOM present code it is unmatched in the case of include the step of generate at least one attack recognition signal it is following Step:
Using the algorithm application program (8) resided in the NetStream Data Analyzer (7), received by performing comparing function And compare at least described DOM client codes and DOM presentation codes, to be in the DOM in the DOM client codes At least one attack recognition signal is generated in the case of modern code is unmatched.
CN201580061985.1A 2014-11-13 2015-10-28 System and method for identifying network attacks Active CN107209831B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US201462079337P 2014-11-13 2014-11-13
EP14192969.5 2014-11-13
EP14192969 2014-11-13
US62/079,337 2014-11-13
PCT/IB2015/058307 WO2016075577A1 (en) 2014-11-13 2015-10-28 System and method for identifying internet attacks

Publications (2)

Publication Number Publication Date
CN107209831A true CN107209831A (en) 2017-09-26
CN107209831B CN107209831B (en) 2021-02-05

Family

ID=54476706

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201580061985.1A Active CN107209831B (en) 2014-11-13 2015-10-28 System and method for identifying network attacks

Country Status (4)

Country Link
US (2) US20170324772A1 (en)
EP (1) EP3219072B1 (en)
CN (1) CN107209831B (en)
ES (1) ES2882125T3 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409080A (en) * 2018-10-09 2019-03-01 北京北信源信息安全技术有限公司 A kind of browser HTTPS auditing method and device

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3195171B1 (en) * 2014-07-31 2019-11-06 Namogoo Technologies Ltd. Detecting and removing injected elements from content interfaces
US20170195293A1 (en) * 2015-12-31 2017-07-06 Check Point Software Technologies Ltd. System and method to detect and prevent phishing attacks
US9954894B2 (en) * 2016-03-04 2018-04-24 Microsoft Technology Licensing, Llc Webpage security
US10382266B1 (en) * 2016-03-16 2019-08-13 Equinix, Inc. Interconnection platform with event-driven notification for a cloud exchange
US10313418B2 (en) * 2016-06-20 2019-06-04 Ramp Holdings, Inc. Chunked HTTP video cache routing
US10275596B1 (en) * 2016-12-15 2019-04-30 Symantec Corporation Activating malicious actions within electronic documents
US10289836B1 (en) * 2018-05-18 2019-05-14 Securitymetrics, Inc. Webpage integrity monitoring
US11102237B2 (en) * 2018-05-25 2021-08-24 Jpmorgan Chase Bank, N.A. Method and system for improved malware detection
US10929878B2 (en) * 2018-10-19 2021-02-23 International Business Machines Corporation Targeted content identification and tracing
US11368477B2 (en) * 2019-05-13 2022-06-21 Securitymetrics, Inc. Webpage integrity monitoring

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616008A (en) * 2008-06-27 2009-12-30 国际商业机器公司 The method and system of protecting network application data
US20120291129A1 (en) * 2011-05-13 2012-11-15 Amichai Shulman Detecting web browser based attacks using browser digest compute tests launched from a remote source
CN103458037A (en) * 2013-09-06 2013-12-18 南京南自信息技术有限公司 Method and device for providing complex web applications in resource-constrained environment
US8869281B2 (en) * 2013-03-15 2014-10-21 Shape Security, Inc. Protecting against the introduction of alien content

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8225401B2 (en) * 2008-12-18 2012-07-17 Symantec Corporation Methods and systems for detecting man-in-the-browser attacks
US9584543B2 (en) * 2013-03-05 2017-02-28 White Ops, Inc. Method and system for web integrity validator
US9225737B2 (en) * 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
US9270647B2 (en) * 2013-12-06 2016-02-23 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
US9075990B1 (en) * 2014-07-01 2015-07-07 Shape Security, Inc. Reliable selection of security countermeasures

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616008A (en) * 2008-06-27 2009-12-30 国际商业机器公司 The method and system of protecting network application data
US20120291129A1 (en) * 2011-05-13 2012-11-15 Amichai Shulman Detecting web browser based attacks using browser digest compute tests launched from a remote source
US8869281B2 (en) * 2013-03-15 2014-10-21 Shape Security, Inc. Protecting against the introduction of alien content
CN103458037A (en) * 2013-09-06 2013-12-18 南京南自信息技术有限公司 Method and device for providing complex web applications in resource-constrained environment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409080A (en) * 2018-10-09 2019-03-01 北京北信源信息安全技术有限公司 A kind of browser HTTPS auditing method and device
CN109409080B (en) * 2018-10-09 2021-03-19 北京北信源信息安全技术有限公司 Auditing method and device for HTTPS of browser

Also Published As

Publication number Publication date
EP3219072A1 (en) 2017-09-20
ES2882125T3 (en) 2021-12-01
US20170324772A1 (en) 2017-11-09
CN107209831B (en) 2021-02-05
US20160142428A1 (en) 2016-05-19
EP3219072B1 (en) 2021-06-09
US11044268B2 (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN107209831A (en) System and method for recognizing network attack
EP3219068B1 (en) Method of identifying and counteracting internet attacks
US8893282B2 (en) System for detecting vulnerabilities in applications using client-side application interfaces
CN112910857B (en) Method for verifying security
US20180219907A1 (en) Method and apparatus for detecting website security
Abikoye et al. A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm
US9614862B2 (en) System and method for webpage analysis
US8291500B1 (en) Systems and methods for automated malware artifact retrieval and analysis
US20170048272A1 (en) Fraud detection network system and fraud detection method
CN112468520B (en) Data detection method, device and equipment and readable storage medium
EP3021550A1 (en) System and method for identifying internet attacks
Barua et al. Server side detection of content sniffing attacks
WO2019083950A1 (en) Systems and methods to detect and notify victims of phishing activities
CN110417718A (en) Handle method, apparatus, equipment and the storage medium of the risk data in website
CN107612926A (en) A kind of a word WebShell hold-up interception methods based on client identification
CN108322420B (en) Method and device for detecting backdoor file
Khazal et al. Server Side Method to Detect and Prevent Stored XSS Attack.
US9904661B2 (en) Real-time agreement analysis
CN111314298A (en) Verification identification method and device, electronic equipment and storage medium
CN111488580A (en) Potential safety hazard detection method and device, electronic equipment and computer readable medium
Fung et al. Scanning of real-world web applications for parameter tampering vulnerabilities
JP2018109795A (en) Access management device, access management method, and computer program
CN109981563A (en) A kind of automatic intelligent method for digging of radio and television key message infrastructure network security breaches

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Milan Italy

Patentee after: Clive associates Inc.

Address before: Trento

Patentee before: Clearfy S.R.L.

CP03 Change of name, title or address